Via post

I have been a personal customer of Private Box for a long time and now I'm being asked to complete the identity verification. Why?

The new Anti-Money Laundering/Counter Funding of Terrorism (AML/CFT) law has been in effect since 2013. We work closely with the New Zealand government to ensure that our business is operating correctly to meet the law. The Department of Internal Affairs (DIA), regularly reviews our identity verification processes and provides feedback.

In light of feedback we've received we have updated our processes accordingly. We are now required to complete Identity Verification for every single customer. We regularly review the information we have for each account, and will contact customers if we need updated information or documents.

How long do you keep my information for?

We keep all identity documentation securely while you have an account with us.

If your Private Box account is closed we are required to hold customer data for a further 5 years for Anti-Money Laundering (AML) as per our privacy policy. This is because of Section 50 (3)(a) and 51(2) of New Zealand's AML act.

AML CFT, TCSP and DIA - There are lots of abbreviated terms which are not explained. What do all of these terms mean?

AML/CFT = the Anti-Money Laundering / Counter Funding of Terrorism Act. An “act” is a piece of legislation that is passed into law by the New Zealand government. This is the act that makes it a criminal offence if we do not identify our customers. We normally just refer to this as AML or the AML act.

TCSP = Trust and Company Service Provider. This is the type of entity we are identified as under by the AML act.

DIA = Department of Internal Affairs. This is our ‘supervisor’ for our implementation of the AML/CFT act.

DOB = Date of Birth

If the request is based on the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, I do not believe your business is listed within the definition of reporting entity under section 5 of the Act, it is not a bank or financial institution?

" (2) This regulation applies to a person who carries out, as the only or principal part of their business, 1 or more of the following activities: ... (c)providing a registered office, a business address, a correspondence address, or an administrative address for a company, a partnership, or any other legal person or arrangement.".

So its the "correspondence address" part of this law that has all of our customers caught by the act! We are as frustrated as you are at these new laws! It's very heavy handed and we have requested an exemption from the Minister of Justice which has been denied by the Honourable Simon Bridges (please see letter attached below).

We have also sought clarification on the term “legal persons” and have received this advice from our legal team:

“Natural people are also considered “legal persons” for the purposes of the regulations.”

Here is the full explanation:

“There is no definition of “legal persons” in the regulations or Act. The Interpretation Act 1999 does not define this term either. The Interpretation Act’s definition of person is ‘person includes a corporation sole, a body corporate, and an unincorporated body’.

There is no explicit legislation on the fact that a natural person is a “person” at law. The reason for this is that it is not arguable that the term “person” does not include a natural person as that is the word’s basic meaning. The term “legal” in front of the word “person” simply notes it is the legal form of “person” the law is concerned with (i.e. the term is widened from its ordinary meaning to include companies etc).”

This basically means a “legal person” is normal people as well as other legal entities (like companies and trusts).

Part of verification of any details usually involve giving out those details, as in the case of obtaining a credit report, so they may be confirmed with the relevant agency. Therefore the privacy promise is violated if my details are given to others.

We are required by law to verify your details. We do this by using providers in different countries that give us access to public databases and credit files in those countries. We only work with suppliers that we are satisfied that they have strong privacy practices of their own.

We do not get a credit report on our customers. If the credit file is available in a country for a certain individual then the details supplied to us are cross-referenced with their file (eg. name, DOB and residential address).

And yes - this means you have to not only trust us with your information. You have to trust the suppliers we choose to work with. For full details on who we use to verify your information please see our privacy policy at https://www.privatebox.co.nz/privacy policy

Does Private Box receive a financial benefit for giving out this information to these corporations, who admit in their own privacy statements that they then provide it to others?

Of course not. We actually pay these companies for a service. We do not receive any financial benefit and they will not disclose our customer's details to anyone else. If they did they would be in breach of the contract we have with them.

The privacy policy you are referring to is their public website and is different to the service we are using them for.

If you have concerns around this area we can let you know which organisations we have cross-referenced your details with and what contractual obligations they are under to keep your information safe.

Customers who value their privacy would be alarmed at the flimsiness of the Private Box Ltd Privacy promise as mentioned from your website above; personal information is being shared with multiple organisations and onsold again and again!

This is simply not true. The information is not on-sold. We value our customer's privacy. In fact, we wouldn’t have much of a business if customers did not trust us with their personal details (like their mail!). We are proud of the level service we provide our customers around protecting their privacy while making their lives more convenient. We have legal obligations and are fulfilling them in an efficient and professional manner.

However I will not consent to my private details then being given to third parties some of whom are foreign institutions in the USA and Canada for so called verification, why would these institutions already have the private information of New Zealand customers anyway?

These companies will have agreements in place with the New Zealand government to access official databases like the drivers license database with NZTA or the passport database with DIA. Only companies that pass a high level of scrutiny are allowed to access these databases and these are the only type of companies that we work with.

It is much easier (and cheaper) to work with a company that has access to these databases themselves rather than attempting to get access directly ourselves.